A denial of service attack is the flooding of a computer, such as a server, with requests, such as “get” and “post” HTTP requests for web pages, TCP/IP requests for information, FTP or SCP requests for a file, and LDAP directory requests, and requests to open a session. This flood burdens the computer, i.e. consumes the computer's resources (such as processor, memory, etc.), so the computer cannot handle other, legitimate requests in a timely manner. Typically, the requests of the denial of service of attack originate from one source IP address or a range of source IP addresses within a same subnet. It was known to automatically examine the source IP addresses of requests, received by a computer, and determine the total number of requests originating from the same source IP address or range of source IP addresses over a predetermined unit of time. If this number exceeds a respective threshold or is much larger than experienced in the past, this may indicate a denial of service attack. In such a case, a known Denial of Service Analyzer (“DOSA”) program would automatically update/reconfigure a firewall to block subsequent incoming requests from this source IP address or range of source IP addresses, and notify an administrator. The DOSA program would use a combination of historical as well as a mathematical algorithm(s) to determine if the requests were bona fide. If the program is not configured to automatically update the firewall rules automatically, the program will send an e-mail to the administrator. If the administrator confirms a denial of service attack, then the administrator would manually update/reconfigure the firewall to block subsequent incoming requests from this source IP address or range of source IP addresses.
There are other known ways to identify a denial of service attack. A known DOSA program determines a total number of requests for a specific file or application, from any source IP address. If that number is excessive based on historical data and/or hard coded rules, then the DOSA program notifies an administrator that a denial of service attack is suspected or modifies the firewall rules to block the offending requests.
It was also known to organize computers into a cluster for load balancing and to provide high reliability in case of failure of one computer in the cluster. Each of the computers in the cluster typically executes the same application(s). It was also known to provide a “proxy” server to act as a gateway to the cluster. The proxy server receives all requests for the cluster, and distributes them to the computers in the cluster according to a load balancing algorithm. For high volume applications, there may be more than one cluster of computers, each with its own proxy server. In such a case, there may be a load balancer as a gateway to the proxy servers. The load balancer determines which proxy server to route each request, based on a known load balancing algorithm which evaluates the availability of the servers within each cluster.
If a denial of service attack is directed to two or more (stand-alone) computers or clusters of servers, the associated requests are divided between the two or more (stand-alone) computers or proxy servers. In such a case, the denial of service attack may be difficult to detect because no one computer or proxy server may receive more than a predetermined threshold number of requests.
Accordingly, an object of the present invention is to detect a denial of service attack directed to two or more computers or clusters or computers.